providers: Move hostid from ipa to sdap, v2 In the ldap provider, all option names are renamed to ldap_host_*. In the ipa provider the names haven't been changed. Host lookups for both ipa and ldap are handled in the ldap provider. sss_ssh_knownhostsproxy works but hostgroups are still only available in the ipa provider. I've also added some documentation for the ldap provider. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: Describe the constrains of ipa_server_mode better in the man page Amends the sssd-ipa man page so that we explicitly say that: * SSSD needs to be pointed at the IPA server itself * SSSD currently needs to print fully qualified names for users for trusted domains. Resolves: https://pagure.io/SSSD/sssd/issue/3484 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

MAN: Document that auth and access IPA and AD providers rely on id_provider being set to the same type The IPA and AD auth and access providers rely (often for performance reasons) on certain properties that are set during the user or group resolution with the same provider type. However, there are users who wish to combine different provider types, typically to use identities from local UNIX files but authenticate against a remote server. We should discourage that in our documentation (but at the same time, I think flat our failing would be too harsh..) Resolves: https://pagure.io/SSSD/sssd/issue/3547 Reviewed-by: Justin Stephenson <jstephen@redhat.com>

MAN: Improve ipa_hostname description The description of ipa_hostname config option doesn't mention it must be fully-qualified, although when using a non-fully qualified name IPA server may behave weirdly. Thus, let's add this info the the man page. Related: https://pagure.io/SSSD/sssd/issue/1946 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DESKPROFILE: Add ipa_deskprofile_request_interval This option has been added to avoid contacting the Data Provider when no rules were found in the previous request. By adding this configurable option we avoid contacting the Data Provider too often in the case described above and also when the server doesn't support Desktop Profile's integration. Resolves: https://pagure.io/SSSD/sssd/issue/3482 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DESKPROFILE: Introduce the new IPA session provider In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: Updating option ipa_server_mode in man sssd-ipa Changes done for section ipa_server_mode since description of section was bit vague. Text is re-phrased for better understanding. Resolves: https://pagure.io/SSSD/sssd/issue/3404 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Use correct spelling of override Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: Add dyndns_auth option Add the dyndns_auth option into the AD or IPA provider man pages for more configuration information of nsupdate behavior. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: Document different defaults for IPA provider Update man pages for any IPA provider config options that differ from ldap/krb5 provider back-end defaults Resolves: https://fedorahosted.org/sssd/ticket/3214 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MAN: Drop the reference to IPAv2 in the man page As suggested by Rob in https://fedorahosted.org/sssd/ticket/1907#comment:2 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DYNDNS: Don't use server cmd in nsupdate by default nsupdate command `server` should not be used for the first attempt to udpate DNS. It should be used only in subsequent attempts after the first attempt failed. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DYNDNS: Add a new option dyndns_server Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com>

DYNDNS: special value '*' for dyndns_iface option Option dyndns_iface has now special value '*' which implies that IPs from add interfaces should be sent during DDNS update.

DYNDNS: support mult. interfaces for dyndns_iface opt Resolves: https://fedorahosted.org/sssd/ticket/2549

IPA: Remove the ipa_hbac_treat_deny_as option https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MAN: dyndns_iface supports only one interface Resolves: https://fedorahosted.org/sssd/ticket/2548 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: Remove indentation in element programlistening The indentation is automatically in resulting man page. It isn't necessary to add spaces and moreover it can cause unreadable page asi in case of ad_gpo_map examples. Reviewed-by: Roland Mainz <rmainz@redhat.com>

AD/IPA: add krb5_confd_path configuration option With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Views: apply user SSH public key override With this patch the SSH public key override attribute is read from the FreeIPA server and saved in the cache with the other override data. Since it is possible to have multiple public SSH keys this override value does not replace any other data but will be added to existing values. Fixes https://fedorahosted.org/sssd/ticket/2454 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: add view support and get view name Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MAN: Clarify the new krb5_use_fast IPA default

MAN: Fix refsect-id The refsect id was copied from sssd.conf(5) and was wrong. Fixing the refsect might help us if we ever generate other formats from XML and certainly wouldn't hurt.

MAN: Fix provider man page subtitle

IPA: Deprecate ipa_hbac_support_srchost option This option got already deprecated on the ipa server side. Option is undocumented and warning is printed both to the sssd log files and syslog. Resolves: https://fedorahosted.org/sssd/ticket/1918

MAN: Remove IPA specific LDAP settings Resolves: https://fedorahosted.org/sssd/ticket/1187

Fix two minor typos

IPA: Add a server mode option https://fedorahosted.org/sssd/ticket/1993 SSSD needs to know that it is running on an IPA server and should not look up trusted users and groups with the help of the extdom plugin but do the lookups on its own. For this a new boolean configuration option, is introduced which defaults to false but is set to true during ipa-server-install or during updates of the FreeIPA server if it is not already set.

MAN: state default dyndns interface https://fedorahosted.org/sssd/ticket/1924

man: Note that IPA updates are secured with GSS-TSIG

Fix minor typos

dyndns: new option dyndns_force_tcp https://fedorahosted.org/sssd/ticket/1831 Adds a new option that can be used to force nsupdate to only use TCP to communicate with the DNS server.

dyndns: New option dyndns_update_ptr https://fedorahosted.org/sssd/ticket/1832 While some servers, such as FreeIPA allow the PTR record to be synchronized when the forward record is updated, other servers, including Active Directory, require that the PTR record is synchronized manually. This patch adds a new option, dyndns_update_ptr that automatically generates appropriate DNS update message for updating the reverse zone. This option is off by default in the IPA provider. Also renames be_nsupdate_create_msg to be_nsupdate_create_fwd_msg

dyndns: new option dyndns_refresh_interval This new options adds the possibility of updating the DNS entries periodically regardless if they have changed or not. This feature will be useful mainly in AD environments where the Windows clients periodically update their DNS records.

Convert IPA-specific options to be back-end agnostic This patch introduces new options for dynamic DNS updates that are not specific to any back end. The current ipa dyndns options are still usable, just with a deprecation warning.

DNS sites support - add IPA SRV plugin https://fedorahosted.org/sssd/ticket/1032

Fix typos in man pages

Make the SELinux refresh time configurable. Option ipa_selinux_refresh is added to basic ipa options.

Run IPA subdomain provider if IPA ID provider is configured To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613

Always start PAC responder if IPA ID provider is configured Since the PAC responder is used during the authentication of users from trusted realms it is started automatically if the IPA ID provider is configured for a domain to simplify the configuration. Fixes https://fedorahosted.org/sssd/ticket/1613

Make TTL configurable for dynamic dns updates

man: Note that automounter must be restarted to re-read the master map https://fedorahosted.org/sssd/ticket/1563

Fix various typos in documentation.

Primary server support: new option in IPA provider This patch adds support for new config option ipa_backup_server. The description of this option's functionality is included in man page in one of previous patches.

MAN: Unify "SEE ALSO" sections

IPA subdomains - ask for information about master domain The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.

IPA: Add get-domains target

AUTOFS: IPA provider

IPA: Add host info handler

Man pages for the session target and SELinux user maps fetching

IPA: Detect nsupdate support for the realm directive For older platforms, do not add the 'realm' line in the update message

Add info about ipa_host_search_base to man page Also add comment that setting ipa_hbac_support_srchost to False disables search filters given in ipa_host_search_base

Add ipa_hbac_support_srchost option to IPA provider don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078

Added and modified options for IPA netgroups

Fix typos in manual pages

Add support to request canonicalization on krb AS requests https://fedorahosted.org/sssd/ticket/957

man page fix (lists are comma-separated) https://fedorahosted.org/sssd/ticket/1024

Add ipa_hbac_treat_deny_as option By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period.

Add ipa_hbac_refresh option This option describes the time between refreshes of the HBAC rules on the IPA server.

Use realm for basedn instead of IPA domain https://fedorahosted.org/sssd/ticket/807

Add ipa_hbac_search_base config option

Man pages should mention supported providers Each back end can support id, auth or access provider, but each back end supports different subset of these. Man pages should describe which providers are supported by each back end. Ticket: #615

Add dynamic DNS updates to FreeIPA This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).

Revert "Add dynamic DNS updates to FreeIPA" This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7. While this patch applied cleanly, it was uncompilable. Reverting until it can be properly merged.

Add dynamic DNS updates to FreeIPA This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).

Use service discovery in backends Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.

Rename server/ directory to src/ Also update BUILD.txt